[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

WO2000067460A1 - Method and system for fraud detection in telecommunications - Google Patents

Method and system for fraud detection in telecommunications Download PDF

Info

Publication number
WO2000067460A1
WO2000067460A1 PCT/GB2000/001676 GB0001676W WO0067460A1 WO 2000067460 A1 WO2000067460 A1 WO 2000067460A1 GB 0001676 W GB0001676 W GB 0001676W WO 0067460 A1 WO0067460 A1 WO 0067460A1
Authority
WO
WIPO (PCT)
Prior art keywords
sub
event data
periods
profile
data packet
Prior art date
Application number
PCT/GB2000/001676
Other languages
French (fr)
Inventor
Katherine Butchart
Derek Dempsey
Original Assignee
Nortel Networks Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nortel Networks Limited filed Critical Nortel Networks Limited
Priority to IL14631400A priority Critical patent/IL146314A0/en
Priority to AU45884/00A priority patent/AU4588400A/en
Priority to CA002373017A priority patent/CA2373017A1/en
Priority to EP00927481A priority patent/EP1179260A1/en
Publication of WO2000067460A1 publication Critical patent/WO2000067460A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M15/00Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M15/00Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
    • H04M15/43Billing software details
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M15/00Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
    • H04M15/47Fraud detection or prevention means
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M15/00Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
    • H04M15/70Administration or customization aspects; Counter-checking correct charges
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M15/00Arrangements for metering, time-control or time indication ; Metering, charging or billing arrangements for voice wireline or wireless communications, e.g. VoIP
    • H04M15/70Administration or customization aspects; Counter-checking correct charges
    • H04M15/73Validating charges
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M2215/00Metering arrangements; Time controlling arrangements; Time indicating arrangements
    • H04M2215/01Details of billing arrangements
    • H04M2215/0148Fraud detection or prevention means
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M2215/00Metering arrangements; Time controlling arrangements; Time indicating arrangements
    • H04M2215/22Bandwidth or usage-sensitve billing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M2215/00Metering arrangements; Time controlling arrangements; Time indicating arrangements
    • H04M2215/32Involving wireless systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M2215/00Metering arrangements; Time controlling arrangements; Time indicating arrangements
    • H04M2215/70Administration aspects, modify settings or limits or counter-check correct charges
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M2215/00Metering arrangements; Time controlling arrangements; Time indicating arrangements
    • H04M2215/70Administration aspects, modify settings or limits or counter-check correct charges
    • H04M2215/7072Validate charges
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M3/00Automatic or semi-automatic exchanges
    • H04M3/22Arrangements for supervision, monitoring or testing
    • H04M3/2218Call detail recording
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M3/00Automatic or semi-automatic exchanges
    • H04M3/22Arrangements for supervision, monitoring or testing
    • H04M3/36Statistical metering, e.g. recording occasions when traffic exceeds capacity of trunks

Definitions

  • the present invention relates to a method and apparatus for performing pattern recognition within event streams, and a system incorporating the same.
  • One of the steps employed in, but not limited to use in, such fraud detection systems is pattern recognition from event streams.
  • Pattern recognition for event streams can be achieved by building up profiles of the behaviour of an entity and performing pattern recognition over these profiles.
  • the entity In order for an entity to be profiled in this way, the entity must be able to have events associated with it. Examples of entities are: a single subscriber in a telephone network, a user accessing a data network, a switch in a telephone network or a server in a data network.
  • the events to be associated with the user must be able to be represented in an Event Data Packet (EDP).
  • EDP Event Data Packet
  • the profiles of entities behaviour are compared with known patterns of unacceptable behaviour to determine if the system should alert the end user to the entities behaviour pattern.
  • the flow of Event Data Packets 1 10 of information through a profiling pattern recognition system is shown in Figure 1 .
  • the Recent profile 130 represents the typical usage for the entity over a recent period of time, approximately the last week.
  • the Historical profile 140 represents the typical use for the entity over a preceding and longer time period, for example approximately the last six weeks.
  • the EDPs are all accumulated into Polls of information.
  • a Poll 120 is a set of EDPs received over a particular time period (e.g. 4 hours).
  • the Poll information is then used to update the values in the Recent profile, and the Recent profile is then used to update the values in the Historical profile.
  • the solid arrow between the EDPs and the Poll indicates that the information in each Poll is directly created from the EDPs.
  • the dotted arrow between the Poll and the Recent indicates that the Poll information is used only to update the
  • the EDPs are Call Detail Records (CDRs) and the profiles represent voice telephony usage is given the profiles may consist of number of calls made and the duration of national and international calls. Table 1 shows an example of Recent and Historical profiles for such an example.
  • CDRs Call Detail Records
  • Recent and Historic profiles may be as shown in Table 2.
  • the new recent profile is derived from the previous recent profile plus a proportion of the difference between the new and old recent profiles
  • the new historic profile is derived from the previous historic profile plus a proportion of the difference between the new and old historic profiles, but the proportions typically differ from that of the recent profile case in that a higher proportion of the old historic profile is taken.
  • the Recent and Historic profiles are built up from a series of Poll profiles. In order for the Recent and Historic profiles to maintain their integrity all Poll profiles must cover the same amount of time, for example a 4 hour period.
  • the period of time the Polls must all cover must not be too small, otherwise natural variations in behaviour will appear to be anomalous.
  • a typical recommended minimum is two hours.
  • the profiles generated only represent the active periods for the user, this means that a user who is active in only one two hour period a week could have a similar profile to a user who is active in twenty of the two hour periods in a week.
  • the known patterns have to be represented in the same time period that the systems polls over. This can increase training times for the account fraud detection system which analyses the Poll, Recent profile, and Historical profile information in order to identify anomalies.
  • the invention seeks to provide an improved method and apparatus for behavioural pattern recognition for event streams in general and for event streams in an account fraud detection systems in particular.
  • a method of profiling a flow of event data packets comprising the steps of: receiving data defining a plurality of sub-periods which partition a base time period; creating a profile of recent behaviour for each of said sub- periods; allocating each Event Data Packet to one of said sub-periods according to a time indication associated with said Event Data Packet.
  • the method may also comprise the steps of: creating a profile of historical behaviour for each of said sub-periods; at the end of said Base Time Period updating each of said Historical profiles responsive to the previous value of said Historical profile and a corresponding Recent profile, and resetting each said Recent profile.
  • the method may also comprise the steps of: calculating an Event density for at least one of said Recent profiles.
  • the said step of calculating an Event density comprises the steps of: identifying a current time; identifying a Recent profile within which said current time falls; dividing a number of events recorded in said Recent profile by a time duration determined by a difference between said current time and a start time of sub-period associated with said Recent profile.
  • Said Event Data may correspond to time intervals of differing length.
  • the method may be used to capture a representation of inactivity within said flow.
  • the method may also be used to permit trend analysis for an initial sub- period during said sub-period.
  • a method of performing anomaly detection on a stream of Event Data Packets comprising the steps of: receiving data defining a plurality of sub-periods which partition a base time period; creating a Recent profile for each of said sub-periods; allocating each Event Data Packet to a sub- period according a time indication in said Event Data Packet.
  • a method of account fraud detection comprising the steps of: receiving data defining a plurality of sub-periods which partition a base time period; creating a Recent profile for each of said sub-periods; receiving a series of Event Data Packets relating to account use; allocating each Event
  • Event Data Packet to a sub-period according a time indication in said Event Data Packet.
  • account use relates to telecommunications network use.
  • Event Data Packets are call detail records.
  • a method of network intrusion detection comprising the steps of: receiving data defining a plurality of sub-periods which partition a base time period; creating a Recent profile for each of said sub-periods; receiving a series of Event Data Packets relating to account use; allocating each said Event Data Packet to a sub-period according to a time indication in said Event Data Packet.
  • Event Data Packets relate to network audit log data.
  • Event Data Packets relate to IP packet data.
  • a system for profiling a flow of event data packets comprising: apparatus arranged to receive and store data defining a plurality of sub-periods which partition a base time period; apparatus arranged to create and store a Recent profile for each of said sub-periods; allocating each Event Data Packet to one of said sub-periods according to a time indication associated with said Event Data Packet.
  • the system may be arranged to receive a plurality of flows and to perform processing on each flow independently of each other.
  • a system for performing anomaly detection on a stream of Event Data Packets comprising: apparatus arranged to receive and store data defining a plurality of sub-periods which partition a base time period; apparatus arranged to create a profile of recent behaviour for each of said sub-periods; apparatus arranged to allocate each Event Data Packet to a sub-period according a time indication in said Event Data Packet.
  • a system for account fraud detection comprising: apparatus arranged to receive and store data defining a plurality of sub-periods which partition a base time period; apparatus arranged to create a profile of recent behaviour for each of said sub-periods; apparatus arranged to allocate each Event Data Packet to a sub-period according a time indication in said Event Data Packet.
  • a system for network intrusion detection comprising: apparatus arranged to receive and store data defining a plurality of sub-periods which partition a base time period; apparatus arranged to create a profile of recent behaviour for each of said sub-periods; apparatus arranged to allocate each Event Data Packet to a sub-period according a time indication in said Event Data Packet.
  • the invention also provides for a system for the purposes profiling a flow of event data packets which comprises one or more instances of apparatus embodying the present invention, together with other additional apparatus.
  • a machine readable medium arranged for profiling a flow of event data packets by: receiving data defining a plurality of sub-periods which partition a base time period; creating a Recent profile for each of said sub-periods; allocating each Event Data Packet to one of said sub- periods according to a time indication associated with said Event Data Packet.
  • Figure 1 shows a block diagram of information flow in a behavioural pattern recognition system in accordance with the prior art
  • Figure 2 shows a block diagram of information flow in a behavioural pattern recognition system in accordance with the present invention.
  • the method proposed here is illustrated in Figure 2.
  • the EDPs 210 (in this example taking the form of Call Detail Records (CDRs)) again feed into a Poll 220 of information and the Poll information is used to update the values in the Recent profiles 230a-f
  • each entity has associated with it multiple Recent Profiles (six are shown but more or fewer may be used), where each Recent profile represents a period of time within a week (though a larger or shorter base period could be used), for example Saturday and Sunday between midnight and 8am.
  • the Recent Profiles together cover the whole of a week period.
  • Each Recent Profile has a related Historic Profile 240a-f which covers the same time period.
  • Recent Profiles are filled until they contain all the data for the time period they cover. Once filled the values are used to update the corresponding Historic profile, and then the Recent profile values are reset to zero, and filled with the next CDRs in the time covered by the profile.
  • a customer of voice telephony may have the Recent profiles of behaviour illustrated in Table 3 and corresponding Historic profiles illustrated in Table 4.
  • CDRs Event Data
  • the CDR at 7am is added to Recent Profile 1.
  • This profile is 'complete' the historic profile is updated.
  • the next time period is entered its recent profile values are reset to zero and new values accumulated.
  • the only Recent profiles changed are those that cover the same time period as the CDRs in the poll namely periods 1 and 2.
  • the only Historic profile changed is in period 1 , the values in the Recent profile having been used to update the Historic profile. After updating the Historic profile, the Recent profile is then reset to zero before new CDR information is added to it.
  • Event densities for historic profiles provide an average of behaviour over the whole time period. This means that dividing by the number of seconds in the time period gives the normal amount of behaviour in any one second. These are generally small values.
  • Recent profiles however may or may not contain values for the whole the time period they cover. Freq ⁇ ently the Recent profile that is being analysed is not yet complete. For example, if ten minutes of event data require analysing for the time period 9.15am to 9.25am then a recent profile that covers the time period 8am to 6pm will be updated, but the time period for this profile is not yet complete. As the period is incomplete the number of seconds to divide by is calculated as follows. The complete time period is divided into blocks of time, for example 30 minutes. A usage period consists of x of these blocks of time. The event data in the current incomplete Recent profile is divided by the number of seconds in the blocks covered so far. So event data covering up to 9.25 am has covered three 30 minute blocks so far and the values are divided by 5400 seconds (90 minutes). Conversion into densities enables pattern recognition to be performed over event data that covers just a portion of the total time period. This method has the advantages that:
  • the polls of event data can be of any size whilst still allowing the profiles produced by the system to maintain their integrity;
  • the profiles represent accurately the behaviour of the user, including a representative of inactivity by the user, and a representation of the time of use.
  • This method may be used in several application areas. These include telephony fraud detection using call detail records (CDRs), anomaly detection on data streams, network intrusion detection using audit log data or IP packet data.
  • CDRs call detail records
  • the method also provides a means of comparison between recent behaviour and past behaviour for event streams that has potentially wide application for the rapid detection of behavioural changes.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method and apparatus for profiling a flow of event data packets. The method comprises the steps of: receiving data defining sub-periods which partition a base time period, creating a profile of recent behaviour for each sub-period, and allocating each event data packet to one of the sub-periods according to a time indication associated with the event data packet. The method and apparatus may be used in anomaly detection within data streams and, in particular, account fraud detection where the event data relates to account usage.

Description

METHOD AND SYSTEM FOR FRAUD DETECTION IN TELECOMMUNICATIONS
FIELD OF THE INVENTION
The present invention relates to a method and apparatus for performing pattern recognition within event streams, and a system incorporating the same.
BACKGROUND TO THE INVENTION
In recent years there has been a rapid increase in the number of commercially operated telecommunications networks in general and in particular wireless telecommunication networks. Associated with this proliferation of networks is a rise in fraudulent use of such networks the fraud typically taking the form of gaining illicit access to the network, and then using the network in such a way that the fraudulent user hopes subsequently to avoid paying for the resources used. This may for example involve misuse of a third party's account on the network so that the perpetrated fraud becomes apparent only when the third party is charged for resources which he did not use.
Since fraudulent use of a single account can cost a network operator a large sum of money within a short space of time it is important that the operator be able to identify and deal with the most costly forms of fraud at the earliest possible time.
One of the steps employed in, but not limited to use in, such fraud detection systems is pattern recognition from event streams.
Pattern recognition for event streams can be achieved by building up profiles of the behaviour of an entity and performing pattern recognition over these profiles. In order for an entity to be profiled in this way, the entity must be able to have events associated with it. Examples of entities are: a single subscriber in a telephone network, a user accessing a data network, a switch in a telephone network or a server in a data network. The events to be associated with the user must be able to be represented in an Event Data Packet (EDP). The profiles of entities behaviour are compared with known patterns of unacceptable behaviour to determine if the system should alert the end user to the entities behaviour pattern.
The flow of Event Data Packets 1 10 of information through a profiling pattern recognition system is shown in Figure 1 . The Recent profile 130 represents the typical usage for the entity over a recent period of time, approximately the last week. The Historical profile 140 represents the typical use for the entity over a preceding and longer time period, for example approximately the last six weeks. The EDPs are all accumulated into Polls of information. A Poll 120 is a set of EDPs received over a particular time period (e.g. 4 hours). The Poll information is then used to update the values in the Recent profile, and the Recent profile is then used to update the values in the Historical profile. The solid arrow between the EDPs and the Poll indicates that the information in each Poll is directly created from the EDPs. The dotted arrow between the Poll and the Recent indicates that the Poll information is used only to update the
Recent behaviour, as is true for the Recent to Historical.
In an example where the EDPs are Call Detail Records (CDRs) and the profiles represent voice telephony usage is given the profiles may consist of number of calls made and the duration of national and international calls. Table 1 shows an example of Recent and Historical profiles for such an example.
Figure imgf000004_0001
Table 1 : Voice telephony recent and historic profile example If subsequent CDRs create a Poll of:
• calls 3,
national 500,
international 100.
Then after polling and once all updates to Recent and Historic profiles have completed the Recent and Historic profiles may be as shown in Table 2.
The new recent profile is derived from the previous recent profile plus a proportion of the difference between the new and old recent profiles
The new historic profile is derived from the previous historic profile plus a proportion of the difference between the new and old historic profiles, but the proportions typically differ from that of the recent profile case in that a higher proportion of the old historic profile is taken.
Figure imgf000005_0001
Table 2: Voice telephony recent and historic profile example after update
It can be seen that the Recent profile has moved towards the newly added Poll profile and the Historic toward the previous Recent profile. These profiles provide a view of the entity's behaviour and how it changes over time. The profiles of behaviour can then be used for pattern recognition to identify which entity's behaviour reflects patterns to which the user of system wishes to be alerted. There are however the following limitations to the method described above:
The Recent and Historic profiles are built up from a series of Poll profiles. In order for the Recent and Historic profiles to maintain their integrity all Poll profiles must cover the same amount of time, for example a 4 hour period.
The period of time the Polls must all cover must not be too small, otherwise natural variations in behaviour will appear to be anomalous. A typical recommended minimum is two hours.
These two limitations, taken in consideration, mean that this method cannot be used for real time data feeds.
It is also incumbent upon the user to ensure that the data given to the product is split into appropriately sized chunks. This can be a burden to the user if, for example, hardware downtime means it is necessary to feed a backlog of data into the system.
The profiles generated only represent the active periods for the user, this means that a user who is active in only one two hour period a week could have a similar profile to a user who is active in twenty of the two hour periods in a week.
The nature of the data in the profile - as an average of activity in all X minute periods where the user had actually been active - where X is the duration of the Poll, is not intuitive to many end users of the system.
In order for pattern recognition to occur effectively, the known patterns have to be represented in the same time period that the systems polls over. This can increase training times for the account fraud detection system which analyses the Poll, Recent profile, and Historical profile information in order to identify anomalies.
OBJECT OF THE INVENTION
The invention seeks to provide an improved method and apparatus for behavioural pattern recognition for event streams in general and for event streams in an account fraud detection systems in particular. SUMMARY OF THE INVENTION
According to a first aspect of the present invention there is provided a method of profiling a flow of event data packets comprising the steps of: receiving data defining a plurality of sub-periods which partition a base time period; creating a profile of recent behaviour for each of said sub- periods; allocating each Event Data Packet to one of said sub-periods according to a time indication associated with said Event Data Packet.
The method may also comprise the steps of: creating a profile of historical behaviour for each of said sub-periods; at the end of said Base Time Period updating each of said Historical profiles responsive to the previous value of said Historical profile and a corresponding Recent profile, and resetting each said Recent profile.
The method may also comprise the steps of: calculating an Event density for at least one of said Recent profiles.
In a preferred embodiment, the said step of calculating an Event density comprises the steps of: identifying a current time; identifying a Recent profile within which said current time falls; dividing a number of events recorded in said Recent profile by a time duration determined by a difference between said current time and a start time of sub-period associated with said Recent profile.
Said Event Data may correspond to time intervals of differing length.
The method may be used to capture a representation of inactivity within said flow.
The method may also be used to permit trend analysis for an initial sub- period during said sub-period.
According to a further aspect of the present invention there is provided a method of performing anomaly detection on a stream of Event Data Packets and comprising the steps of: receiving data defining a plurality of sub-periods which partition a base time period; creating a Recent profile for each of said sub-periods; allocating each Event Data Packet to a sub- period according a time indication in said Event Data Packet. According to a further aspect of the present invention there is provided a method of account fraud detection comprising the steps of: receiving data defining a plurality of sub-periods which partition a base time period; creating a Recent profile for each of said sub-periods; receiving a series of Event Data Packets relating to account use; allocating each Event
Data Packet to a sub-period according a time indication in said Event Data Packet.
In a preferred embodiment account use relates to telecommunications network use.
In a preferred embodiment said Event Data Packets are call detail records.
According to a further aspect of the present invention there is provided a method of network intrusion detection comprising the steps of: receiving data defining a plurality of sub-periods which partition a base time period; creating a Recent profile for each of said sub-periods; receiving a series of Event Data Packets relating to account use; allocating each said Event Data Packet to a sub-period according to a time indication in said Event Data Packet.
In a preferred embodiment said Event Data Packets relate to network audit log data.
In a preferred embodiment said Event Data Packets relate to IP packet data.
According to a further aspect of the present invention there is provided a system for profiling a flow of event data packets comprising: apparatus arranged to receive and store data defining a plurality of sub-periods which partition a base time period; apparatus arranged to create and store a Recent profile for each of said sub-periods; allocating each Event Data Packet to one of said sub-periods according to a time indication associated with said Event Data Packet.
The system may be arranged to receive a plurality of flows and to perform processing on each flow independently of each other.
According to a further aspect of the present invention there is provided a system for performing anomaly detection on a stream of Event Data Packets and comprising: apparatus arranged to receive and store data defining a plurality of sub-periods which partition a base time period; apparatus arranged to create a profile of recent behaviour for each of said sub-periods; apparatus arranged to allocate each Event Data Packet to a sub-period according a time indication in said Event Data Packet.
According to a further aspect of the present invention there is provided a system for account fraud detection comprising: apparatus arranged to receive and store data defining a plurality of sub-periods which partition a base time period; apparatus arranged to create a profile of recent behaviour for each of said sub-periods; apparatus arranged to allocate each Event Data Packet to a sub-period according a time indication in said Event Data Packet.
According to a further aspect of the present invention there is provided a system for network intrusion detection comprising: apparatus arranged to receive and store data defining a plurality of sub-periods which partition a base time period; apparatus arranged to create a profile of recent behaviour for each of said sub-periods; apparatus arranged to allocate each Event Data Packet to a sub-period according a time indication in said Event Data Packet.
The invention also provides for a system for the purposes profiling a flow of event data packets which comprises one or more instances of apparatus embodying the present invention, together with other additional apparatus.
According to a further aspect of the present invention there is provided software on a machine readable medium arranged for profiling a flow of event data packets by: receiving data defining a plurality of sub-periods which partition a base time period; creating a Recent profile for each of said sub-periods; allocating each Event Data Packet to one of said sub- periods according to a time indication associated with said Event Data Packet.
The preferred features may be combined as appropriate, as would be apparent to a skilled person, and may be combined with any of the aspects of the invention. BRIEF DESCRIPTION OF THE DRAWINGS
In order to show how the invention may be carried into effect, embodiments of the invention are now described below by way of example only and with reference to the accompanying figures in which:
Figure 1 shows a block diagram of information flow in a behavioural pattern recognition system in accordance with the prior art;
Figure 2 shows a block diagram of information flow in a behavioural pattern recognition system in accordance with the present invention.
DETAILED DESCRIPTION OF INVENTION
The method proposed here is illustrated in Figure 2. The EDPs 210 (in this example taking the form of Call Detail Records (CDRs)) again feed into a Poll 220 of information and the Poll information is used to update the values in the Recent profiles 230a-f In this case each entity has associated with it multiple Recent Profiles (six are shown but more or fewer may be used), where each Recent profile represents a period of time within a week (though a larger or shorter base period could be used), for example Saturday and Sunday between midnight and 8am. The Recent Profiles together cover the whole of a week period. Each Recent Profile has a related Historic Profile 240a-f which covers the same time period.
Recent Profiles are filled until they contain all the data for the time period they cover. Once filled the values are used to update the corresponding Historic profile, and then the Recent profile values are reset to zero, and filled with the next CDRs in the time covered by the profile.
For example, a customer of voice telephony may have the Recent profiles of behaviour illustrated in Table 3 and corresponding Historic profiles illustrated in Table 4.
Figure imgf000010_0001
Figure imgf000011_0001
Table 3: Voice telephony recent profiles example
Figure imgf000011_0002
Figure imgf000012_0001
Table 4: Voice telephony historic profiles example
A collection of Event Data (CDRs) is then presented to the system. The CDRs cover 7am on a Monday through to 1 pm on the same Monday. The previous collection of data presented to the system had contained a CDR for 5am on the same Monday.
The CDR at 7am is added to Recent Profile 1. When this profile is 'complete' the historic profile is updated. When the next time period is entered its recent profile values are reset to zero and new values accumulated.
The Recent and Historical profiles after the data has been processed areas illustrated in Tables 5 and 6 respectively.
Figure imgf000012_0002
Table 5: Voice telephony recent profiles after processing
Figure imgf000013_0001
Table 6: Voice telephony historic profiles after processing
The only Recent profiles changed are those that cover the same time period as the CDRs in the poll namely periods 1 and 2. The only Historic profile changed is in period 1 , the values in the Recent profile having been used to update the Historic profile. After updating the Historic profile, the Recent profile is then reset to zero before new CDR information is added to it.
Historic profiles are only updated once the Recent profile has been filled with all the information for that time period. This means that the size of the Poll has no influence over the Historic profiles, and the Recent profiles can contain details for any sub-period of the time period they cover, or the whole time period. The profiles of behaviour are converted into Event Densities before pattern recognition is performed on them. Event Densities are produced by dividing the event data value by the number of seconds in the period during which those events occurred. For example, Table 6 shows an example set of Historic profile values and the corresponding event densities values where the period covered 14400 seconds (4 hours).
Figure imgf000014_0001
Table 7: Voice telephony historic profiles after processing
Event densities for historic profiles provide an average of behaviour over the whole time period. This means that dividing by the number of seconds in the time period gives the normal amount of behaviour in any one second. These are generally small values.
Recent profiles however may or may not contain values for the whole the time period they cover. Freqυently the Recent profile that is being analysed is not yet complete. For example, if ten minutes of event data require analysing for the time period 9.15am to 9.25am then a recent profile that covers the time period 8am to 6pm will be updated, but the time period for this profile is not yet complete. As the period is incomplete the number of seconds to divide by is calculated as follows. The complete time period is divided into blocks of time, for example 30 minutes. A usage period consists of x of these blocks of time. The event data in the current incomplete Recent profile is divided by the number of seconds in the blocks covered so far. So event data covering up to 9.25 am has covered three 30 minute blocks so far and the values are divided by 5400 seconds (90 minutes). Conversion into densities enables pattern recognition to be performed over event data that covers just a portion of the total time period. This method has the advantages that:
• the polls of event data can be of any size whilst still allowing the profiles produced by the system to maintain their integrity;
• polls of data for very small time periods can be handled easily;
• the preceding two advantages have the consequence that the system is suitable for both real time feeds and bulk batch feeds of poll data;
• there is consequently no burden on the end user to divide up the event data into fixed sized chunks; and
• the profiles represent accurately the behaviour of the user, including a representative of inactivity by the user, and a representation of the time of use.
This method may be used in several application areas. These include telephony fraud detection using call detail records (CDRs), anomaly detection on data streams, network intrusion detection using audit log data or IP packet data. The method also provides a means of comparison between recent behaviour and past behaviour for event streams that has potentially wide application for the rapid detection of behavioural changes.
Any range or device value given herein may be extended or altered without losing the effect sought, as will be apparent to the skilled person for an understanding of the teachings herein.

Claims

1. A method of profiling a flow of event data packets comprising the steps of:
receiving data defining a plurality of sub-periods which partition a base time period;
creating a profile of recent behaviour for each of said sub- periods;
allocating each Event Data Packet received to one of said sub- periods according to a time indication associated with said Event Data Packet.
2. A method according to claim 1 comprising the steps of:
creating a profile of historical behaviour for each of said sub- periods;
at the end of said Base Time Period updating each of said Historical profiles responsive to the previous value of said Historical profile and a corresponding Recent profile, and resetting each said Recent profile.
3. A method according to any one of claims 1 - 2 additionally comprising the step of:
calculating an Event density for at least one of said Recent profiles.
4. A method according to claim 3 wherein said step of calculating an Event density comprises the steps of:
identifying a current time;
identifying a Recent profile within which said current time falls;
dividing a number of events recorded in said Recent profile by a time duration determined by a difference between said current time and a start time of sub-period associated with said Recent profile.
5. A method according to any one of claims 1 - 4, wherein said Event Data may correspond to time intervals of differing length.
6. A method according to any one of claims 1 - 5, whereby to capture a representation of inactivity within said flow.
7. A method according to any one of claims 1 - 6, whereby to permit trend analysis for an initial sub-period during said sub-period.
8. A method of performing anomaly detection on a stream of Event Data Packets and comprising the steps of:
receiving data defining a plurality of sub-periods which partition a base time period;
creating a Recent profile for each of said sub-periods;
allocating each Event Data Packet to a sub-period according to a time indication in said Event Data Packet.
9. A method of account fraud detection comprising the steps of:
receiving data defining a plurality of sub-periods which partition a base time period;
creating a Recent profile for each of said sub-periods;
receiving a series of Event Data Packets relating to account use;
allocating each Event Data Packet to a sub-period according to a time indication in said Event Data Packet.
10. A method of account fraud detection according to claim 9, wherein said account use relates to telecommunications network use.
11. A method of account fraud detection according to any one of claims 9 - 10, wherein said Event Data Packets are call detail records.
12. A method of network intrusion detection comprising the steps of: receiving data defining a plurality of sub-periods which partition a base time period;
creating a Recent profile for each of said sub-periods;
receiving a series of Event Data Packets relating to account use;
allocating each said Event Data Packet to a sub-period according to a time indication in said Event Data Packet.
13. A method of network intrusion detection according to claim 12, wherein said Event Data Packets relate to network audit log data.
14. A method of network intrusion detection according to claim 12, wherein said Event Data Packets relate to IP packet data.
15. A system for profiling a flow of event data packet polls comprising:
apparatus arranged to receive and store data defining a plurality of sub-periods which partition a base time period;
apparatus arranged to create and store a Recent profile for each of said sub-periods;
allocating each Event Data Packet in said Poll to one of said sub-periods according to a time indication associated with said Event Data Packet.
16. A system according to claim 15 arranged to receive a plurality of flows and to perform process each flow independently of each other.
17. A system for performing anomaly detection on a stream of Event Data Packets and comprising:
apparatus arranged to receive and store data defining a plurality of sub-periods which partition a base time period;
apparatus arranged to create a Recent profile for each of said sub-periods; apparatus arranged to allocate each Event Data Packet to a sub-period according to a time indication in said Event Data Packet.
18. A system for account fraud detection comprising:
apparatus arranged to receive and store data defining a plurality of sub-periods which partition a base time period;
apparatus arranged to create a profile of recent behaviour for each of said sub-periods;
apparatus arranged to allocate each Event Data Packet to a sub-period according a time indication in said Event Data Packet.
19. A system for of network intrusion detection comprising:
apparatus arranged to receive and store data defining a plurality of sub-periods which partition a base time period;
apparatus arranged to create a profile of recent behaviour for each of said sub-periods;
apparatus arranged to allocate each Event Data Packet to a sub-period according a time indication in said Event Data Packet.
20. Software on a machine readable medium arranged for profiling a flow of event data packet polls by:
receiving data defining a plurality of sub-periods which partition a base time period;
creating a profile of recent behaviour for each of said sub- periods;
allocating each Event Data Packet inset Poll to one of said sub- periods according to a time indication associated with said Event Data Packet.
PCT/GB2000/001676 1999-05-04 2000-04-28 Method and system for fraud detection in telecommunications WO2000067460A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
IL14631400A IL146314A0 (en) 1999-05-04 2000-04-28 Method and system for fraud detection in telecommunications
AU45884/00A AU4588400A (en) 1999-05-04 2000-04-28 Method and system for fraud detection in telecommunications
CA002373017A CA2373017A1 (en) 1999-05-04 2000-04-28 Method and system for fraud detection in telecommunications
EP00927481A EP1179260A1 (en) 1999-05-04 2000-04-28 Method and system for fraud detection in telecommunications

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB9910268.3 1999-05-04
GBGB9910268.3A GB9910268D0 (en) 1999-05-04 1999-05-04 Behavourial pattern recognition for event streams

Publications (1)

Publication Number Publication Date
WO2000067460A1 true WO2000067460A1 (en) 2000-11-09

Family

ID=10852761

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2000/001676 WO2000067460A1 (en) 1999-05-04 2000-04-28 Method and system for fraud detection in telecommunications

Country Status (6)

Country Link
EP (1) EP1179260A1 (en)
AU (1) AU4588400A (en)
CA (1) CA2373017A1 (en)
GB (1) GB9910268D0 (en)
IL (1) IL146314A0 (en)
WO (1) WO2000067460A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1497748A1 (en) * 2002-03-28 2005-01-19 Neural Technologies Ltd. Configurable profiling of data
US7142651B2 (en) 2001-11-29 2006-11-28 Ectel Ltd. Fraud detection in a distributed telecommunications networks
US11062315B2 (en) 2018-04-25 2021-07-13 At&T Intellectual Property I, L.P. Fraud as a service

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5375244A (en) * 1992-05-29 1994-12-20 At&T Corp. System and method for granting access to a resource
WO1996031043A1 (en) * 1995-03-30 1996-10-03 British Telecommunications Public Limited Company Detecting possible fraudulent communications usage
WO1997003533A1 (en) * 1995-07-13 1997-01-30 Northern Telecom Limited Detecting mobile telephone misuse
WO1999005844A1 (en) * 1997-07-22 1999-02-04 British Telecommunications Public Limited Company Fraud monitoring system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5375244A (en) * 1992-05-29 1994-12-20 At&T Corp. System and method for granting access to a resource
WO1996031043A1 (en) * 1995-03-30 1996-10-03 British Telecommunications Public Limited Company Detecting possible fraudulent communications usage
WO1997003533A1 (en) * 1995-07-13 1997-01-30 Northern Telecom Limited Detecting mobile telephone misuse
WO1999005844A1 (en) * 1997-07-22 1999-02-04 British Telecommunications Public Limited Company Fraud monitoring system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
BARSON P ET AL: "The detection of fraud in mobile phone networks", INTERNATIONAL NEURAL NETWORK SOCIETY ANNUAL MEETING. PROCEEDINGS OF WORLD CONGRESS ON NEURAL NETWORKS,XX,XX, vol. 6, no. 4, 16 April 1996 (1996-04-16), pages 477 - 484, XP002085421 *
BURGE P ET AL: "Fraud detection and management in mobile telecommunications networks", EUROPEAN CONFERENCE ON SECURITY AND DETECTION, 28 April 1997 (1997-04-28), XP002085420 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7142651B2 (en) 2001-11-29 2006-11-28 Ectel Ltd. Fraud detection in a distributed telecommunications networks
EP1497748A1 (en) * 2002-03-28 2005-01-19 Neural Technologies Ltd. Configurable profiling of data
EP1497748A4 (en) * 2002-03-28 2006-09-06 Neural Technologies Ltd Configurable profiling of data
US7471780B2 (en) 2002-03-28 2008-12-30 Cerebrus Solutions Limited Configurable profiling of data
US11062315B2 (en) 2018-04-25 2021-07-13 At&T Intellectual Property I, L.P. Fraud as a service
US11531989B2 (en) 2018-04-25 2022-12-20 At&T Intellectual Property I, L.P. Fraud as a service

Also Published As

Publication number Publication date
GB9910268D0 (en) 1999-06-30
EP1179260A1 (en) 2002-02-13
CA2373017A1 (en) 2000-11-09
AU4588400A (en) 2000-11-17
IL146314A0 (en) 2002-07-25

Similar Documents

Publication Publication Date Title
US7406161B2 (en) System and method for real-time fraud detection within a telecommunication network
US5805686A (en) Telephone fraud detection system
US7457401B2 (en) Self-learning real-time prioritization of fraud control actions
US6597775B2 (en) Self-learning real-time prioritization of telecommunication fraud control actions
US6601014B1 (en) Dynamic deviation
CN110677269B (en) Method and device for determining communication user relationship and computer readable storage medium
WO2000067460A1 (en) Method and system for fraud detection in telecommunications
US7631355B2 (en) System and method for identifying extreme behavior in elements of a network
US8494128B2 (en) Performance monitoring in a telephone network
CN107086978A (en) A kind of method and device for recognizing trojan horse
US7471780B2 (en) Configurable profiling of data
CN114338916B (en) Theft-fighting alarm method and system
CN106982452B (en) Method and device for determining call quality
CN114866645A (en) Method and device for processing customer service incoming call and electronic equipment
CN103188651A (en) Information correlation method and device
KR20050026191A (en) Telecommunication system using single-rate charging service, and single-rate charging apparatus and method therefor
WO2003090081A1 (en) A hierarchical system for analysing data streams

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GE GH GM HU ID IL IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG US UZ VN YU ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
ENP Entry into the national phase

Ref document number: 2373017

Country of ref document: CA

Ref country code: CA

Ref document number: 2373017

Kind code of ref document: A

Format of ref document f/p: F

WWE Wipo information: entry into national phase

Ref document number: 2000927481

Country of ref document: EP

WWP Wipo information: published in national office

Ref document number: 2000927481

Country of ref document: EP

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

NENP Non-entry into the national phase

Ref country code: JP